Security Bulletin: Security Vulnerabilities in the IBM Java SE were fixed in the IBM Security Directory Integrator (CVE-2024-21094, CVE-2024-21085, CVE-2024-21011, CVE-2023-38264)

2024-07-2322:39:28

www.ibm.com

ibm security directory integrator

ibm java se

vulnerabilities

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

JSON

Summary

Multiple Security Vulnerabilties in the IBM Java SE package were addresssed and shipped with the IBM Security Directory Integrator.

Vulnerability Details

CVEID:CVE-2024-21094
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287959 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2024-21085
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-21011
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288020 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-38264
**DESCRIPTION:**The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260578 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Directory Integrator	7.2.0
IBM Security Directory Integrator	10.0.0

Remediation/Fixes

IBM Strongly recommends that customers update to the latest versions of software.

IBM Security Directory Integrator 10.0.0 Container can be found in the documentation here.

<https://www.ibm.com/docs/en/svdi/10.0.0?topic=containers-images>

Principal Product and Versions	Fix Availability
IBM Security Director Integrator 7.2.0	7.2.0-ISS-SDI-LA0032
IBM Security Directory Integrator 10.0.0	ibm-svdi-10.0.0-LA0002

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsecurity_directory_integratorMatch7.2.0

ibmsecurity_directory_integratorMatch10.0.0

VendorProductVersionCPE
ibmsecurity_directory_integrator7.2.0cpe:2.3:a:ibm:security_directory_integrator:7.2.0:*:*:*:*:*:*:*
ibmsecurity_directory_integrator10.0.0cpe:2.3:a:ibm:security_directory_integrator:10.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	security_directory_integrator	7.2.0	cpe:2.3:a:ibm:security_directory_integrator:7.2.0:::::::*
ibm	security_directory_integrator	10.0.0	cpe:2.3:a:ibm:security_directory_integrator:10.0.0:::::::*